6 Answers
6

In addition to disk encryption, a policy to not allow any sensitive data to be left on the laptop may be helpful. Instead require the laptop to VPN & RDP to a secured machine back at the office. With this approach you will lose the ability to work offline, but depending on how sensitive the data is, this might be the best option.

You can also use some type of Remote Laptop Security (RLS) that phone home. If the purp is using the laptop, this can be a good way to find and recover the laptop. I have never used these services, but here is an example.

I would also lock up the machine with Windows Steady State which resets the machine to any state you want to. If it gets infected, reboot. Put a belt with those suspenders baby.
–
MattJun 11 '09 at 18:52

Why do you have to keep sensitive data off the disk if it's encrypted? Also, how could the "purp" use the laptop if it's encrypted? He's have to wipe the drive to install an OS, killing your RLS.
–
Jeremy SteinJun 12 '09 at 17:54

I'd error on the side of caution with sensitive data. It is possible someone could steal the laptop while it is unlocked.
–
BobJun 12 '09 at 19:32

I suggest TrueCrypt for full disk encryption. Being open source, the price is right and it works well. The one downside is there's no way to centrally manage it, so if someone left on bad terms, there's no way to retrieve the password.

Yes, you can recover the password. Just create a rescue disk with your admin password before handing over the laptop. The user can change the password, but you can always restore it. truecrypt.org/docs/rescue-disk
–
Jeremy SteinJun 12 '09 at 17:52

Very interesting. It's not clear from the doc's that it's the case.
–
KnoxJun 12 '09 at 18:13

I agree about the docs. When you actually do it, the on-screen instructions make this clear.
–
Jeremy SteinJun 12 '09 at 19:26

Things other people have said about disk encryption and VPN are very good. Another good idea is to disable USB ports. If a legitimate user moves data to a USB stick from an encrypted drive, the encryption is useless.

The best thing you can do, above and beyond that, is to have multi-factor authentication such as Yubikey or RSA SecurID. Someone who steals an unattended laptop is unlikely to also steal someone's keys. By forcing someone to have a password as well as a physical object in order to authenticate, it becomes extremely difficult for thieves to access the data. If they steal the laptop, they'll get free hardware, but they won't get your data.

"disabling USB" seems more like an alibi solution. You can always use the net, plus users might legitimately need to use USB. If you don't trust your users, you're screwed anyway...
–
sleskeFeb 22 '10 at 23:36

If your machines are Windows Vista or 7, go with BitLocker, which is a pretty nice built in full disk encryption solution. I think with Vista you need Ultimate or Enterprise, and 7 includes it with those two and buisness. If I am wrong on this feel free to comment and I will adjust my entry.